We could just not distinguish, and let the disclaimer apply to everyone. In
my case, I could get Howard Schmidt to weigh in - he's about as high up the
operational security food chain as you can get here at MS.
> -----Original Message-----
> From: Andy Balinsky [mailto:balinsky@CISCO.COM]
> Sent: Thursday, May 11, 2000 9:53 AM
> To: cve-editorial-board-list@lists.mitre.org
> Cc: Kevin J. Ziese
> Subject: Re: v 5.4 - from Dave Mann
>
>
> I agree with all the statements about quality over quantity of treaty
> signers. Inclusion of a public forum which includes individuals of
> potentially questionable hat color detracts from the statement.
>
> That said, I'd like to comment about the statement at the end
> regarding
> affiliations. How do we disclaim those who wish NOT to speak
> for their
> organizations, but still note people who are speaking FOR their entire
> organization. For e.g., if Kevin and I speak for ourselves, and David
> speaks for the entire Microsoft hegemony, (or vice versa,
> since Cisco is a
> Fortune 4 company, too) how do we indicate that, without
> having to put Steve
> Ballmer, CEO as the signatory.
>
> Kevin Ziese and I propose the following
>
> Two signatory columns, one for individuals, one for
> organizations. If you
> and your org agree, you can show up in both columns. This has several
> advantages:
> 1) It allows people to sign on independent of their org's approval.
> 2) It allows us to demonstrate approval from official bodies
> (like companies
> and universities)
> 3) It allows a company who won't give approval to be
> conspicuously absent
> from the organization column, even though Joe Scientist,
> working for that
> company has signed the letter in the other column.
>
> Andy
>
> ----- Original Message -----
> From: "Dave Mann" <dmann@BINDVIEW.COM>
> To: <cve-editorial-board-list@lists.mitre.org>
> Sent: Thursday, May 11, 2000 10:14 AM
> Subject: v 5.4 - from Dave Mann
>
>
> > Tinkering with Spaf's last version.
> >
> > Changes include:
> > * Word count driven down to 368 (I tried to retain meaning)
> > - In particular, note the hack job I did on paragraphs 2 and 5
> > * Attempted to strengthen some a few passages
> > - Replaced "register our opinions" with "register our misgivings"
> > in lead sentence
> > - Replaced "computer users... may not be able to
> adequately protect"
> > with "computer users... will not be able to adequately protect"
> > in second paragraph
> > * Added (undue?) influence of marketing "add speak" by
> > - shortening/breaking apart sentences and paragraphs
> > - adding bullets to add emphasis
> >
> > I am super impressed with all of the work that took place
> > since I left work last night. In my (not so) humble opinion, I
> > think this is looking really, really good and I would consider
> > it very close to final. My only suggestion at improving it would
> > be to drive the word count down further.
> >
> > 'best,
> >
> > Dave
> >
> > --
> > ==============================================================
> > Dave Mann || e-mail: dmann@bos.bindview.com
> > Senior Security Analyst || phone: 508-485-7737 x254
> > BindView Corporation || fax: 508-485-0737
> > ==============================================================
> >
> >
> > Greetings:
> >
> > As leading security practitioners, educators, vendors, and users of
> > information security, we wish to register our misgivings about the
> > Council of Europe draft treaty on Crime in Cyberspace.
> >
> > We are concerned that portions of the proposed treaty may result in
> > criminalizing techniques and software commonly used to make computer
> > systems resistant to attack. Signatory states passing
> legislation to
> > implement the treaty may endanger the security of their computer
> > systems since computer users in those countries will not be able to
> > adequately protect their computer systems and the education of
> > information protection specialists may be hindered.
> >
> > Critical to the protection of computer systems and infrastructure is
> > the ability to
> > * Test software for weaknesses
> > * Verify the presence of defects in computer systems
> > * Exchange vulnerability information
> >
> > System administrators, researchers, consultants and companies all
> > routinely develop, use, and share software designed to
> exercise known
> > and suspected vulnerabilities. Academic institutions use these
> > tools to educate students and in research to develop improved
> > defenses. Our combined experience suggests that it is impossible
> > to reliably distinguish software used in computer crime from that
> > used for these legitimate purposes. In fact, they are often
> > identical.
> >
> > Currently, article 6 of the draft treaty is vague regarding the use,
> > distribution, and possession of software that could be used to
> > violate the security of computer systems. We agree that damaging or
> > breaking into computer systems is wrong and we unequivocally support
> > laws against such inappropriate behavior. We affirm that a
> goal of the
> > treaty and resulting legislation should be to permit the
> development
> > and application of good security measures. However,
> legislation that
> > criminalizes security software development, distribution and use
> > is counter to that goal, since it would adversely impact security
> > practitioners, researchers, and educators.
> >
> > Therefore, we respectfully request that the treaty drafters remove
> > section a.1 from article 6, and modify section b accordingly; the
> > articles on computer intrusion and damage (viz., articles 1-5) are
> > already sufficient to proscribe any improper use of security-related
> > software or information.
> >
> > Please do not hesitate to call on us for technical advice in your
> > future deliberations.
> >
> > Signed,
> >
> > <name>
> > <title>
> > <affiliation>
> >
> >
> > "Organizational affiliations are listed for identification purposes
> > only, and do not necessarily reflect the official opinion of the
> > affiliated organization."
> >
>